[wp-trac] [WordPress Trac] #57809: Application password success_url should allow http when host is localhost or localhost:port

WordPress Trac noreply at wordpress.org
Sat Feb 25 22:17:47 UTC 2023 

#57809: Application password success_url should allow http when host is localhost
or localhost:port
-----------------------------------+------------------------------
 Reporter:  aquarius               |       Owner:  (none)
     Type:  enhancement            |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Application Passwords  |     Version:
 Severity:  normal                 |  Resolution:
 Keywords:  close                  |     Focuses:
-----------------------------------+------------------------------

Comment (by aquarius):

 Replying to [comment:2 TobiasBg]:
 > Thanks for the ticket! It looks like this has been considered and you
 can achieve this by configuring an environment type, see
 https://core.trac.wordpress.org/ticket/52092#comment:1 .

 Ah, no, that's a different issue. That allows a locally running WordPress
 to create application application passwords in the admin by setting
 environment type to local, and works great. What I'm talking about is
 something different: a locally running _consumer_ of the API, something
 that isn't WordPress itself. I build an app -- a desktop app, or a web app
 currently in testing before deployment -- which wants an application
 password so it can consume your WordPress data from
 https://wordpress.example.com/wp-json. My web app is running on, say,
 localhost:3000 while I'm building and testing it. So to get an application
 password for the WordPress API, it will direct the user to
 https://wordpress.example.com/wp-admin/authorize-
 application.php?success_url=http://localhost:3000/got-password. This will
 fail, because authorize-application.php won't allow a success_url to be
 http. This makes testing the application difficult, and this is why
 browser APIs that require a secure context (https URLs) have an exception
 for http://localhost(:port). (https://developer.mozilla.org/en-
 US/docs/Web/Security/Secure_Contexts explains.)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57809#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list